An escalating little Telstra privacy breach

What voicemails have you received recently? A birthday message from a mate? Your mechanic letting you know your car’s ready? A doctor calling about your child’s test results? Your psychologist confirming an appointment? A lawyer to say your divorce papers are ready?

Now, who have you given or sold an old iPhone to? A family member? A colleague? A stranger? How would you feel if you discovered they had been listening to your messages?

If you’re up-to-date with my previousblogposts on this, feel free to jump ahead. If you’d like a walk down memory lane, please allow me to take you on a journey…

A short history of nearly everything

When the new owner of my old, formatted iPhone contacted me on Wednesday Jan. 20 to say they’d been receiving my voicemail I was immediately terrified. Not for my own privacy – I don’t receive many messages and I knew the person who had the phone – but for whoever else could be affected and to what degree. Telstra immediately denied this was even possible but having seen (and heard) my voicemail on this old device I thought to email The Age.

I’m pretty sure it was Fairfax tech journo Hannah Francis‘ call to Telstra on Thursday Jan. 21 that got the cogs turning; I was called by Telstra’s high-risk complaints team, then a senior engineer confirmed what I’d experienced and put a temporary fix in place, some 30 hours after I first contacted Telstra. Hannah’s article (Telstra privacy breach leaves customer’s voicemail exposed) was published online on Friday Jan. 22 and in print on Saturday Jan. 23. The engineer flew to Melbourne on Sunday Jan. 24 to have a look at the old iPhone.

Communication from Telstra had been thin at best. Then late on Monday Jan. 25 I received an automated email to tell me Telstra had “sorted out” the issue; no explanation of what had happened or how it was fixed. Then, on Tuesday Jan. 26, I received Telstra’s official statement:

We apologise to customers affected by this and thank them for their patience as our engineers investigated the reports.

Overnight we have successfully tested, and are currently rolling out, a fix to address it.

We will be informing any customers who we identify may have been affected of the steps being taken.

And until this afternoon, Wednesday Jan. 27, that’s all she wrote.

Big trouble in little Australia

I’ve openly stated that, by raising and pursuing this issue, I wanted to ensure the cause of this issue was found and resolved, not just its symptoms. While mulling over everything today I read back over Hannah’s article, my Telstra chat logs and my blog posts. I remembered a comment from Matt who said he’d seen the issue before and that it might have something to do with the activation of the iPhone after it is reset using an active Telstra SIM. I whipped out another spare iPhone (I’m a hoarder of these things), played around for a while and sure enough, I have been able to replicate the issue. This. Is. Huge.

Once it’s restarted, follow the prompts to set the device up as a new iPhone. To prevent the Apple ID the following:

Select Your Country: Australia

Choose a Wi-Fi Network: Use Mobile Connection

Location Services: Disable Location Services

Create a Passcode

Set Up as New iPhone

Apple ID: Don’t have an Apple ID then Set Up Later in Settings then Don’t Use

Terms and Conditions: Agree then Agree

Siri: Turn On Siri Later

Diagnostics: Don’t Send

Welcome to iPhone: Get Started

Turn the iPhone off.

This is the point I have gotten to every single time I have passed on an iPhone. Every. Single. Time! I want to make sure all my data and apps are definitely gone; seeing the stock home screen, Stocks and all (see what I did there?), is the best way to confirm everything is shiny and new. From memory iOS 7 was the first to force a passcode so any recent hand-me-downs were sent with the code! I doubt I’m the only person who’s done this.

Insert the other person’s SIM.

Call your own number and leave yourself a voicemail or two.

Turn the iPhone on.

Want to see it in action for yourself? Here you go! The video is long I’m sorry, but it covers the process to replicate the issue.

At this point I really hope you don’t find that your voicemails are still being delivered to what is now effectively someone else’s iPhone.

Oh, the thinks you can think

There are so many questions here:

Why are my voicemail credentials not removed when the iPhone is restarted with another service?

Is this a Telstra issue or is this the iPhone/iOS itself not dealing with the change of SIM?

Does this happen with other iPhone models and iOS versions?

Does this happen on other networks in Australia and around the world?

How many people has this affected, for example Telstra customers with Visual Voicemail who have passed on an iPhone to a Pre-Paid user?

So, what happens next? I honestly don’t know. I feel like I’ve climbed a hill to find a mountain behind it. Right now, I’m going to sit down and enjoy the view.

2 Comments

I think its the actual on screen voice mail that is bugged , mabey try with an android phone to eliminate the devices , mabey could be an i.p issue im assuming this on screen voicemail uses data instead of call credit, if so than i think when you first activate ur sim with the on screen feature it gets a MAC address or I.P and is sending the voice mail to a device rather than a sim or phone number , this is my theory lol

I had a similar privacy issue but with contacts. After a reset on a iphone 4s I can see my friends (previous owners) contacts when I start to type the recipients name in a text message. The popup suggestion (name & number) reveals my matching contacts and hers. If you click on the ‘i’ from the popup contact it doesn’t have any detail but you can essentially search their contacts systematically and copy them.

Bandman is a DIY band management platform I built having played in and managed bands. Chasing artist availabilities, storing client and venue info and generally keeping on top of everything can be hard work. Bandman makes it easy!